Tag: Proxy Cache

Web Application Proxy is a role in Windows Server 2012 R2. Web Application Proxy brings some functionality of Microsoft Forefront TMG and Microsoft Forefront UAG but not all of them. Since Microsoft phased out Forefront product line except FIM. Web Application Proxy provides functionality or role in Windows Server 2012 R2 for customer who still wants use Microsoft platform to publish their application such as Exchange 2013, Lync 2013 and SharePoint 2013 to external clients and vendors.

Web Application Proxy provides pre-authentication and authorization method using Active Directory Federation Services including multifactor authentication and access control. Deployment of ADFS is separate to Web Application Proxy which means you must have a separate server hosting ADFS role.

Benefits of Web Application Proxy

Pre-authentication—Only authenticated traffic can get into the corporate network.

Selective Publishing—Only specific applications and paths within these applications are accessible.

DDoS Protection—Incoming traffic arrives at Web Application Proxy before hitting the corporate network. Because Web Application Proxy acts as a proxy, many DDoS attacks can be prevented from reaching the backend servers.

Extended validation– URL validation and verification using public certificate authority. Support strong security and encryption using SHA and 2048 bit certificate encryption.

Web Application Proxy Infrastructure

Active Directory Domain Services (AD DS)

Internal Domain Naming System (DNS)

External DNS Name Resolver or ISP

Active Directory Federation Services (AD FS)

Active Directory Certificate Services (AD CS)

Web Application Proxy Server(s)

Public Certificate Authority

Internal Enterprise Certificate Authority

Backend Application Server(s)

Web Application Proxy Network

Web Application proxy can be deployed in several topologies. In all these scenario Web Application Proxy needs two network adapter.

Edge Firewall: Behind a frontend firewall like Cisco ASA to separate it from internet. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server.

DMZ: Behind a frontend firewall like Cisco ASA to separate it from internet and before corporate firewall like Cisco ASA to separate it from corporate network. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server. For client certificate authentication, you must also configure the firewall to allow traffic on port 49443.

Edge Configuration: One network adapter directly connected to internet and another network adapter connected to corporate network. Web Application Proxy can be a member of an Active Directory Domain.

TCP/IP Configuration Examples

Scenario

Internal NIC

External NIC

non-domain joined

IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: 10.10.10.254

DNS:10.10.10.21

IP:192.168.0.10Subnet: 255.255.255.0

Gateway: NIL

DNS: NIL

Domain Joined

IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: NIL

DNS:10.10.10.21

IP: 203.17.x.x Public IPSubnet: 255.255.255.0

Gateway:203.17.x.254 Public Gateway

DNS: 8.8.8.8 or Public DNS

DNS Requirement

Internal DNS: Web Application Proxy must resolve internal fully qualified domain name of backend application server such as Exchange or SharePoint server. You must configure correct DNS record and TCP/IP Settings of Web Application Proxy Server either using DNS server or editing hosts file in WindowsSystems32DriversEtc location.

External DNS: External client must resolve fully qualified domain name of application. In this case, you must configure HOST (A) record in public DNS server. Note that the external URL must resolve to the external IP address of the Web Application Proxy server, or the external IP address of a firewall or load-balancer placed in front of the Web Application Proxy server.

Load Balancer Consideration

Web Application Proxy does not have in-built load balancer or ISP redundancy functionality. Depending on your requirements, you can use any hardware or software load-balancer to balance load between two or more Web Application Proxy Servers.

Domain Joined or non-domain joined

Web Application Proxy can be deployed without joining the server to an Active Directory domain or by joining the Web Application Proxy server to a standalone domain in a perimeter network.

You can deploy Web Application Proxy with a read-only domain controller. However, if you want to deploy Web Application Proxy and DirectAccess on the same server, you cannot use a read-only domain controller.

Authentication Consideration

Web Application Proxy can work with the following authentication protocols.

AD FS pre-authentication

Integrated Windows authentication

Pass-through pre-authentication

Network Time Protocol (NTP)

You must have a proper NTP server in your organization. NTP server can be your domain controller or a Cisco Core Switch. Timestamp must identical between AD FS and Web Application Proxy Server.

Certificate Authority

There are two types of certificate requirements for Web Application Proxy Server- Public CA and Enterprise CA.

Public CA: External clients to be able to connect to published web applications using HTTPS, Web Application Proxy must present a certificate that is trusted by clients. In this case you must bind a public certificate with published application in backend server and web application proxy server.

Enterprise CA: AD FS certificates must match federation service value. AD FS can use internal Enterprise CA. For examples, Common Name (CN) of Certificate is adfs.superplaneteers.com

Supported Certificate Template

Web Server Certificate with single common name, subject alternative name (SAN) certificates, or wildcard certificates.

Pass-Through Pre-Authentication

When you publish Exchange and SharePoint using Web Application proxy Server, you can pass-through authentication to the specific application instead of AD FS or Web Application Proxy. In this case Web Application Proxy forwards the HTTPS request directly to the backend server using either HTTP or HTTPS. Pass-through authentication is still a worry-free deployment because it prevent DDoS and SQL injection and provide network isolation.

In this article I am going write about SOCKS proxy and applications of SOCKS proxy in enterprise. lets begin with SOCKS proxy. Socket Secure (SOCKS) is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS servers will proxy TCP connections to an arbitrary IP address as well as providing a means for UDP packets to be forwarded. SOCKS performs at Layer 5 of the OSI model—the session layer.

In simple terms, SOCKS is an IETF approved standard for TCP/IP based networking applications. The SOCKS proxy provides the capability to allow traffic to be handled by a proxy for those applications (IM, ICQ) that do not have the native ability to set proxy parameters.

Let me explain forward proxy or proxy server. A proxy server’s function is to receive a request from a web browser or client, to perform that request (possibly after authorization checks), and return the results to the browser or client.

Advantages of proxy is the IP addresses or names of the internal systems never appear on the Internet, internet see the address of the proxy server. So attackers cannot use the addresses to gain information about your internal system names and network structure. Requests for certain sites can be restricted or banned. Web proxy servers usually support many protocols, including HTTP, FTP, Gopher, HTTPS.

How does SOCKS server works? Proxy servers can themselves use the SOCKS protocol to provide additional security. SOCKS proxy add a layer of encapsulation into the request from the client and forward the encapsulated request to the destination.

Advantages:

Encapsulating any TCP protocol within the SOCKS protocol. On the client system, within the corporate network, the data packets to be sent to or from an external system will be put inside a SOCKS packet and sent to a SOCKS server.

Returning packets will be sent to the SOCKS server, which will encapsulate them similarly and pass on to the original client, which remove the SOCKS encapsulation, giving the required data.

Disadvantages:

The advantage of all this is that the firewall can be very simply configured, to allow any TCP/IP connection on any port, from the SOCKS server to the non-secure Internet, trusting it to disallow any connections which are initiated from the Internet.

The disadvantages are that browser configuration is more complex, the added data transfers can add an extra delay to page access, and sometimes proxies impose additional restrictions such as a time-out on the length of a connection, preventing very large downloads.

Now create a firewall policy to allow SOCKS communication between a source and destination. For example here I created policy opening SOCKS port between internal network and SOCKS gateway that is my proxy server.

Apply changes. Click Ok.

The following are the screenshot shows ICQ protocol available in TMG 2010 Protocols. If you don’t see your desired protocol on the list. you can add user defined protocol by simply adding new protocol. for ICQ communication, you have to create a rule specifying source and destination and the protocol you are allowing.

* Simplified deployment of BranchCache at the branch office (for Windows Server 2008 R2 users), using Forefront TMG as the Hosted Cache Server * Forefront TMG and a read-only domain control can be located on the same server, reducing TCO at branch offices

A secure Web gateway is a solution designed to keep users safer from Web-based threats. In general, it will include Web anti-malware inspection, URL filtering, and HTTPS inspection. With its long history as Microsoft ISA Server, Forefront Threat Management Gateway 2010 adds strong inspection of Web-based protocols to help ensure they conform to standards and are not malicious. It further extends this strong application layer inspection through the Network Inspection System.

Secure Web Gateway: Forefront Threat Management Gateway 2010 can be used to protect internal users from Web-based attacks by integrating Web antivirus/anti-malware and URL filtering. With HTTPS inspection, it can even provide these protections in SSL-encrypted traffic.

Improved Connectivity: Forefront Threat Management Gateway 2010 enhances its support for NAT scenarios with the ability to designate e-mail servers to be published on a 1-to-1 NAT basis. Additionally, Forefront Threat Management Gateway 2010 recognizes SIP traffic and provides a method to traverse the firewall.

Simplified Management: Forefront Threat Management Gateway 2010 has improved wizards to simplify its deployment as well as its continued configuration.

Forefront Threat Management Gateway MBE is a product designed specifically for mid-sized businesses purchasing Windows Essential Business Server. Forefront Threat Management Gateway 2010 builds on its functionality to provide a complete secure Web gateway solution, with such features as URL filtering and HTTPS inspection. It also delivers enhanced application layer inspection with Network Inspection System. With these features and others, it enables organizations to provide a higher level of security to their users.

A Proxy Server provides a number of useful functions in a company’s network infrastructure. Proxy Servers will go out and retrieve Web pages and content and return the Web pages to the internal network users. The fact that the proxy is retrieving the Web pages and not the actual clients adds an extra layer of protection to the clients because their internal IP addresses are hidden from the Internet. The proxy mechanism makes surfing external Web sites safer for internal clients.

If employees are constantly requesting pages from the same Web sites, the proxy server can store those requests locally on the server. When additional requests are made for content that has already been retrieved and stored locally, the proxy server will send the requesting client the copies of the pages from its stored cache. Utilizing this function, a proxy server will not have to go back out again and fetch the requested Web pages.

Forefront TMG 2010 can be configured to act as a proxy server in your environment to accelerate the performance of Internet access, as the name implies. In the following flow chart shows how TMG perform Proxy Cache.

Figure: Flow chart

Forefront TMG 2010 performs the following steps:

1. Forefront TMG 2010 checks whether the object is valid. If the object is valid, Forefront TMG 2010 retrieves the object from the cache and returns it to the user.

2. If the object is invalid, Forefront TMG 2010 checks the Web Chaining rules. 3. If a Web Chaining rule matches the request, Forefront TMG 2010 performs the action specified by the Web Chaining rule; for example, route the requested directly to a specified Web server, an upstream proxy, an alternate specified server.

4. If the Web Chaining rule is configured to route the request to a Web server, Forefront TMG 2010 determines whether the Web server is accessible. 5. If the Web server is not accessible, Forefront TMG 2010 determines whether the cache was configured to return expired objects. If the cache was configured to allow Forefront TMG 2010 to return an expired object as long as a specific maximum expiration time hasn’t passed, the object is returned from the cache to the end user.

6. If the Web server is available, Forefront TMG 2010 determines whether the object may be cached depending on whether the cache rule is set to cache the response. If it is, Forefront TMG 2010 caches the object and returns the object to the end user.

Figure: Simple Visio diagram of proxy cache

Cache Storage: Forefront TMG 2010 can store objects on the local hard disk, and for faster access can store most of the frequently requested objects on both the disk and the RAM. Cached pages can be stored immediately in memory (RAM) to be accessed by end users requesting the Web content. A lazy-writer or buffered-writer approach is used to write pages to the disk. By default, 10 percent of physical memory is allocated for RAM caching. The cache file can be stored as follows:

Drive:\urcache\Dir1.cdat

Must be NTFS non system partition (Local disk)

Maximum cache size 64GB

Types of Cache:

Forward Caching: To cache all Internet traffic from external to internal. That’s all Internet pages requested by internal users.

Reverse Caching: To cache all objects sent from internal to external. This works with publishing to help offloading the published server.

Configuring Forefront TMG 2010 Web Proxy & Proxy Cache

1. open the Forefront TMG Management Console. Click Forefront TMG (Array Name) in the left pane.

2.In the left pan click on Web Access Policy

3.In the right pane under the Tasks tab, scroll down and click on Web Proxy. Check enable web proxy client connections for this network. Check Enable HTTP and type port 80 or if you want to use web proxy port 8080 then type port 8080.

4.To define the cache location and size, select the non system partition where you want to store the cache file and enter the desired size of the cache file in the Maximum Cache Size (64000MB) text box. Click Set and then click OK to close the Cache Settings window. 6. click Apply to apply changes.

Add new cache Rule

1. Go back to Cache Settings mentioned above

2. Click on Cache Rules Tab, Click New button, you will be presented with Cache rule wizard